Link to home
Start Free TrialLog in
Avatar of matedwards
matedwardsFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Group Policy when authenticating to Azure (365)

We have an on-prem domain syncing Users & Devices to our 365 (Azure) with AD Connect.
When an AD user authenticates against Azure (ie the login page has Access Work or School) the GPOs set on-prem do not apply to the User. Only Computer GPOs with Loopback Processing enabled apply.
The computer is still domain joined and the user exists on-prem and in Azure, so it's the same user account.
Can anyone explain what is happening? Or, how can I get them to apply?
Any help would be greatly appreciated.
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

If it is domain joined or hybrid joined. GPO will take precedence over anything else.
there is nothing specific you need.

If it is windows 10, i will go down to hybrid join (configure your AADConnect correctly)

For SSO,
with hybrid joined (or cloud joined), you will have windows 10 SSO (PRT SSO)
if domain joined, you will need to use AADConnect SSO (and add the URL to intranet)

I don't think I want to mention anything about cloud joined until you are ready.

Avatar of matedwards


Thank you, Jian.

We do have AD-Connect configured so I assume we have a 'hybrid' set-up.
The laptop and the user are in on-prem Active Directory.
The computer GPO settings apply but User GPO settings do not. Unless we apply 'loopback processing' and then the User GPO settings on the laptop OU apply for all users on that device.
Why don't existing User GPO settings apply?
If your laptop is joined to an on-premises Domain, then GPO will apply.

If your GPO  apply to user GPO, then user GPO (and computer GPO) will work
if your GPO apply to laptop GPO, then computer GPO will apply. If you put loopback processing, the user GPO will also apply. this usually happens on Terminal servers that the user GPO is different than your normal user GPO.


Avatar of RAFA
Flag of Venezuela, Bolivarian Republic of image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I shall make sure all User settings are explicitly set at the GPO where Loopback processing is enabled.